Remove CVE-2020-8908 workaround
Closed this issue · 7 comments
After maven-core fixed CVE-2020-8908 (by updating the guava dependency) we can also remove the explicit exclude (added in 05dc12e) from the pom.xml again.
Additional vulnerability
- com.fasterxml.jackson.core:jackson-core:jar:2.13.4 in compile
- sonatype-2022-6438: 1 vulnerability (7.5)
- org.yaml:snakeyaml:jar:1.33 in compile
- CVE-2022-1471, severity CWE-502: Deserialization of Untrusted Data (9.8)
According the the CVE the problem was fixed in version 30.0. Latest at the moment is 31.1.
https://search.maven.org/artifact/org.checkerframework.annotatedlib/guava
yes, but mvn-core did not update the dependency yet:
[INFO] +- org.apache.maven:maven-core:jar:3.8.1:compile
[INFO] | +- com.google.inject:guice:jar:no_aop:4.2.1:compile
[INFO] | | +- com.google.guava:guava:jar:25.1-android:compile
Still not fixed in 3.8.4:
[INFO] +- org.apache.maven:maven-core:jar:3.8.4:provided
...
[INFO] | +- com.google.inject:guice:jar:no_aop:4.2.2:provided
[INFO] | | +- aopalliance:aopalliance:jar:1.0:provided
[INFO] | | \- com.google.guava:guava:jar:25.1-android:provided
Still not fixed in 3.8.6:
[INFO] +- org.apache.maven:maven-core:jar:3.8.6:provided
...
[INFO] | +- com.google.inject:guice:jar:no_aop:4.2.2:provided
[INFO] | | +- aopalliance:aopalliance:jar:1.0:provided
[INFO] | | \- com.google.guava:guava:jar:25.1-android:provided
Version number for guice is not pinned in maven-core.
Latests guice is 5.1.
And it looks like this guice does not pin Guava.
@kaklakariada , what am I overlooking here?
You mean we could explicitly upgrade the transitive dependency guava? That would be an option, you are right.
Unblocking this.
After overriding dependency to guice 4.2.2 by 5.1.0 I still get
- com.google.guava:guava:jar:30.1-jre in compile
- sonatype-2020-0926: 1 vulnerability (6.2)
I propose to keep the current workaround: exclude dependency to guava.